Description
Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Data Modification and Read
Action: Apply Patch
AI Analysis

Impact

The Vulnerability lies within the Human workflow 11g+ component of Oracle Business Process Management Suite and permits an unauthenticated attacker possessing HTTP network access to perform unauthorized update, insert or delete operations and read restricted data. The attack requires a human actor, other than the attacker, to interact with the system, yet no system credential is needed to begin the exploitation sequence. Successful exploitation leads to confidentiality and integrity compromise for data exposed through the suite, as reflected by the CVSS 6.1 score and the CVSS vector components impacting confidentiality and integrity.

Affected Systems

The affected installations are Oracle Business Process Management Suite versions 12.2.1.4.0 and 14.1.2.0.0, which are part of Oracle Fusion Middleware. The vulnerability may also affect other products that interact with or rely on the Human workflow component in these version lines.

Risk and Exploitability

The CVSS 3.1 base score of 6.1 indicates medium severity, and the lack of an available EPSS score means the exploitation probability cannot be quantified. The vulnerability is not flagged in the CISA KEV catalog. Because the attack vector is network via HTTP and requires no authenticated access, the risk of a successful attack is non‑negligible; however, the necessity of a human interaction limits the efficiency of automated exploitation campaigns.

Generated by OpenCVE AI on April 22, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle security patch for BPS Human workflow 11g+ covering versions 12.2.1.4.0 and 14.1.2.0.0
  • Restrict inbound HTTP traffic to the Business Process Management Suite servers to trusted IP addresses or apply firewall rules to block unnecessary external access
  • Disable or limit the Human workflow component if it is not required for business processes
  • Monitor system logs for unauthorized data modification or read activity and investigate incidents promptly

Generated by OpenCVE AI on April 22, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Modification in Oracle Business Process Management Suite
Weaknesses CWE-287

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle business Process Management Suite
CPEs cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle business Process Management Suite
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Business Process Management Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:22.550Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:32.973

Modified: 2026-04-21T21:16:32.973

Link: CVE-2026-34284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses